This disclosure relates generally to computer system security, and more particularly to a privilege based memory pinning mechanism.
High performance computing (HPC) focuses on developing supercomputers, parallel processing algorithms, and related software. Some sectors, such as meteorological and geological studies or genomics research where high performance levels are desirable, may implement HPC systems. An application process that has sufficient permission to operating system resources may pin some or all of its address space memory pages to attempt to increase performance. Using pinned memory, data accesses may be significantly faster, since the pages containing the required data are already in memory and do not have to be located by the operating system's paging subsystem. Additionally, pinned memory pages are not subject to being paged out from main memory to an external storage device. While the amount of pinned memory pages may be limited on a system-wide basis to a percentage of system memory, without additional access controls application processes may pin and not release large portions of their address space pages, negatively impacting overall system performance, especially for high priority applications. Conventionally, operating systems protect computer resources such as memory segments and their associated pages through a system of permissions that control which operations, such as read or write, a process can perform on them. Role Based Access Control (RBAC) is an alternative security mechanism for controlling access to computer resources. Within an organization, roles are created for various job functions, and the permissions to perform operations are assigned to the roles. In this way, a system user is assigned a particular role, such as for example the operator role. The operator role is assigned the permission to shut down and reboot the computer system, among other permissions. Since an individual user is not assigned permissions directly, but only acquires them through a role, management of individual user permissions becomes a matter of simply assigning the user to appropriate roles. Processes may then be prioritized for access to pinning shared memory when RBAC is extended to allow a similar hierarchy based system.